Draft minutes for 12 Jan meeting

[Rich Salz <rsalz@datapower.com>]

Please send me corrections.  I missed a couple of speaker's names; look 
for "?:".  Two new action items; look for "NEW AI"

	/r$


-- 
Rich Salz, Chief Security Architect
DataPower Technology                           http://www.datapower.com
XS40 XML Security Gateway   http://www.datapower.com/products/xs40.html
XML Security Overview  http://www.datapower.com/xmldev/xmlsecurity.html
>Date:  Monday, 12 January 2004
>Time:  12:00pm - 01:00pm Eastern Time

>1. Welcome by chair (Nick Pope).

        Done.

>2. Confirm Minutes Secretary (Rich Salz)
        
        Done.

>3. Roll Call.

        Details to be provided by Hal.
        Numbers were 12 of 20 -- quorum achieved.

>4. Approval of Agenda

        Approved by acclamation.

>5. Approval of Minutes of DSS TC Face to Face previous meeting:
>15 December 2003
>http://www.oasis-open.org/apps/org/workgroup/dss/download.php/4637/dss-minutes-15-dec-2003.txt

        Approved by acclamation.

>6. Review of outstanding actions

        See below.

>7. Core document. (WD-09)
>http://www.oasis-open.org/apps/org/workgroup/dss/download.php/4915/oasis-dss-1.0-core-spec-wd-09.doc

        Trevor: Minor changes in most recent version -- AI
        03-11-04-1, and a typo fix.  Mostly stable, need to track
        profiles and bindings, update references.  PDF version
        now available.

>8. Profiles - presentation of initial ideas

>- Timestamping
>     http://www.oasis-open.org/apps/org/workgroup/dss/download.php/4919/oasis-dss-1.0-timestamping-profile-spec-wd-01.doc

        Trevor:  Hopefully produce template for others to use.
        Have some questions, including:
           +What type of timestamp to produce (RFC 3161, XML, etc);
            allow multiple types, or define a specific format (X509
            based?)
           +[Sorry, I missed this one.]
           +What type of security (signed requests, authenticated errors,
            etc) is needed for the protocol interactions?
        Trevor will send out a summary of the issues. [NEW AI]

        Nick:  worth separate sections on bindings, protocols, etc.
        Will send email with more details.

        Juan-Carlos:  If doing CMS-signatures, need to understand
        relationship to RFC 3161 -- is it a competitor?

        Trevor(?): This is a good reason to be generic on timestamp
        format.

        Nick: endorse using timestamp profile as layout template for
        others.


>- XAdES
>      http://www.oasis-open.org/archives/dss/200401/doc00000.doc

        Juan-Carlos:  short proposal with underlying thoughts.
        Based on lifecycle of XAdES: creation, initial verification,
        refresh/update (such as for archiving) or asking for timestamp
        for validation, re-verification for (after the fact)
        arbitration purposes.  Profile would support all these phases.

        ?: Arbitration?

        J-C:  Yes, open archive and re-verify.

>- WS-Security profile

        Nick:  Frederick is interested, but was not present at the meeting
        to provide update.

>- Corporate seal profile

        Nick:  Also of interset to legalXML.  Will wait and see
        to better understand their requirements, discuss with John.
        Idea is to support third-party.

        John:  I thought we also wanted to support an entity acting
        on its own behalf.  And take on legal obligation as a result.

        Nick: This is more than just integrity.

        John:  yes.

        Nick:  This might be same mechanism, but meaning behind it
        might be different.

        John:  Need to make sure person acting as the signer is authorized,
        to make sure it's not "hijacked."  Different from tamper-proof seal.

        Nick:  This might be a separate profile.

>- Code-signing profile

        Peter:  Mapping elements from core to code-signing world.
        Want to keep it generic, than in appendices have mappings to
        specific code-signing formats.  Alternative is to have separate
        documents.  A reason for this is that there are a large number
        of code signing formats, so separate documents might be easier
        to add support.  More details to be posted to the list.

        Nick:  Generic profiles, with sub-profiles?

        Peter:  Yes.  Here's the generic, and then here's how to
        apply the generic to CAB files, etc.  Need to think how to
        enable many types of mappings.  I will send to the list to
        get the ball rolling.

>- EPM Profile

        Nick:  Steve expressed interest on the list in submitting
        something; they need to get the right resources involved.

        Juan-Carlos:  We should take an action to ping them via
        email.  [NEW AI on the chairs]

    Discussion on policy-wise
        Paul:  Core allows for many options
        Paul: Server is responsible for determine signature
        type, etc.

        Nick:  So this is for a dumb client?

        Paul:  Dumb, or underprivileged.  (The new term for the
        old classic "lightweight"?)

>9. Profiles - next steps
>- Tasks on specific profiles
>- Co-ordination tasks
        Nick: How to organize profiling, find common
        structure, ensure alignment with the core?

        Juan-Carlos:  A general coordinator would need to assess
        alignment of profiles with core.  For example, XML constructs
        being re-used from the core.  In XAdES we came up with
        a list of tasks on how to accomplish the profile.

        Rich:  so it's like a "style manager."  I think it's a
        very good thing.

        Nick:  think about taking on this role.  Chairs will discuss.

        Juan-Carlos: what about a task list?  We [chairs] should discuss
        to see which of the tasks make sense to circulate for others
        doing profiles.

        Nick:  Some, such as time-stamping, are very straightforward.
        Some will need more work.

        Juan-Carlos:  Yes.  Having a task list makes it easier to
        track progress of profiles when we better understand what they
        need to specify.

        Nick:  Really want a short document from all profiles for next
        meeting so that we can determine what the next steps should be.

        Trevor: Authors should look at TS profile, which is pretty
        simple, to see how appropriate the structure is to their
        profiles.

        ?: You mean the XAdES outline?

        Nick:  That's the minimum; if you can get into more detail,
        that's fine.  But do it in time for review at next meeting.

>10. Any other business

        None.

>11. Confirm next conference call: 26th Jan 04

        Confirmed.

>12. Close

        Done.

>--

>Outstanding Actions:

>03-11-04-1 / 03-12-15-1: Trevor is to add a note in the core document
>to indicate that profiles must explain the semantics of the claimed
>identity element.

        Done.

>03-11-17-3   Juan-Carlos has circulated a proposal: Potential
>contents of additional details present in the verification response -
>JC/Trevor to continue discussion on potential contens for additional
>details

        Their discussions continuing; still open.

>03-11-17-4. John Messing to ask the legalXML group meeting if they
>want to submit a profile for DSS and if they want to will (sic) it to be
>defined as a formal signature.

        Issue raised; they have no interest.  They are considering
        a "digital lock" which is like other DigSig profiles.
        Likely: hash will be minimal, but sig will be "best practice."
        Formal issue closed, but John will track with they're doing.

>03-12-15-2: Juan-Carlos and Nick are to request expressions of
>interest in developing profiles for the next meeting.

        Done.  Some interest expressed; see below.

>03-12-15-3: All who are interested in developing a profile are to
>provide a discussion of the proposed characteristics of the profile
>by the next meeting.

        Paul Madsen policy-wise server profile: how to use DSS
        protocol when all hash mechanism, etc., issues are handled by
        server.  Paul to send a note to the list.